On January 3, 2018, the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a final rule to revise 42 CFR Part 2, the federal regulations governing confidentiality of certain substance abuse patients' records. The 2017 Final Rule (82 FR 6052) was the first time in 30 years that Part 2 was substantively revised. In conjunction with the 2017 Final Rule, SAMHSA released a supplemental notice of proposed rulemaking (SNPRM) (82 FR 5485) seeking comment on:

  • Payment and health care operations disclosures of substance use disorder (SUD) information made by Part 2 programs and entities ("Lawful Holders") to contractors, subcontractors, and legal representatives;
  • Audit or evaluation disclosures; and
  • Abbreviated notice of the prohibition on re-disclosure.

The finalized rules contained in the SNPRM (the "2018 Final Rule") are effective February 2, 2018, except for the requirements of disclosures permitted with written consent contained in Section 2.33(c), which must be implemented by February 2, 2020.

Disclosure for Payment & Health Care Operations

In the preamble to the 2018 Final Rule, SAMHSA recognized the legitimate needs of Lawful Holders to disclose patient information to their contractors, subcontractors, and legal representatives for purposes of payment and health care operations as long as the core protections of 42 CFR Part 2 are maintained. As such, Part 2 now permits Lawful Holders to disclose SUD information to contractors and subcontractors to enable them to carry out payment and health care operations activities without those contractors being individually identified on the patient consent form. In the SNPRM, SAMHSA enumerates a specific list of payment and health care operations that will be acceptable for any Lawful Holder of SUD information to disclose to a contractor, subcontractor and legal representative. This list includes the following:

  • Billing, claims management, collections activities, obtaining payment under a contract for reinsurance, claims filing and related health care data process;
  • Clinical professional support services (e.g., quality assessment and improvement; initiatives, utilization review and management services);
  • Patient safety activities;
  • Activities pertaining to training of student trainees and health care professionals, assessment of practitioner competencies, assessment of provider or health plan performance, and training of non-health care professionals;
  • Accreditation, certification, licensing or credentialing activities;
  • Underwriting, enrollment, premium rating and other activities related to the creation, renewal, or replacement of a contract of health insurance or health benefits, and ceding, securing or placing a contract for reinsurance of risk relating to claims for health care;
  • Third-party liability coverage;
  • Activities related to addressing fraud, waste and abuse;
  • Conducting or arranging for medical review, legal services and auditing functions;
  • Business planning and development, such as conducting cost management and planning-related analyses related to managing and operating, including formulary development and administration, development or improvement of methods of payment or coverage policies;
  • Business management and general administrative activities, including, but not limited to, management activities relating to implementation of and compliance with the requirements of this or other statutes or regulations;
  • Customer services, including the provision of data analyses for policyholders, plan sponsors or other customers;
  • Resolution of internal grievances;
  • The sale, transfer, merger, consolidation or dissolution of an organization;
  • Determinations of eligibility or coverage (e.g., coordination of benefit services or the determination of cost sharing amounts), and adjudication or subrogation of health benefit claims;
  • Risk adjusting amounts due based on enrollee health status and demographic characteristics; and
  • Review of health care services with respect to medical necessity, coverage under a health plan, appropriateness of care or justification of charges;

In the 2018 Final Rule, SAMHSA reversed course however and decided against providing a specific list of payment and health care activities for which SUD information could be shared in the text of Part 2, citing concerns that the rapid changes occurring in the health care payment and delivery system could render any list of activities included in the regulatory text outdated. Now, the enumerated activities are now included in the preamble to Part 2 as illustrative rather than exhaustive of the potential types of acceptable disclosures related to payment and health care operations.

SAMHSA also noted that permitted payment and health care operations do not include SUD patient diagnosis, treatment or referral for treatment. Further, disclosures made by Lawful Holders to contractors and subcontractors concerning care coordination or case management are not considered part of the payment or health care operations function. SAMHSA acknowledged this decision is a departure from the definition of "health care operations" in the Health Insurance Portability and Accountability Act privacy regulations (HIPAA) but stated it believes it is important to maintain patient choice in disclosing information to health care providers with whom patients have direct contact.

Additionally, Lawful Holders that engage contractors or subcontractors to carry out payment and health care operations must implement written agreements requiring contractors and subcontractors to comply with provisions of Part 2. SAMHSA does not provide specific language to be included in the written agreement, recognizing that providers have different approaches to Part 2 compliance. SAMHSA requires that SUD information passed between Lawful Holders and subcontractors be limited to the minimum information necessary to carry out the desired payment or health care operation function.

Disclosures between QSOs and Contractors

SAMHSA received comments requesting that qualified service organization's (QSO) be allowed to contract with Lawful Holders of SUD information; however, SAMHSA declined to adopt this recommendation.

Disclosures for Audits and Evaluations

The 2018 Final Rule clarifies that Lawful Holders are permitted to disclose SUD information without patient consent to federal, state and local governments to allow these governmental entities to carry out audits and evaluations. In the preamble, SAMHSA provided two examples of permissible disclosures for audits and evaluations:

  • An accountable care organization (ACO) or similar Centers for Medicare and Medicaid Services (CMS) model requesting information to evaluate the impact of integrated care on several participating behavioral health care programs' quality of care; and
  • State government performing an audit on how many individuals who leave state-supported correctional facilities and subsequently receive substance use disorder treatment.

There are limitations however on disclosures between Lawful Holders and government entities. SUD information disclosed in an audit or evaluation may only be shared by the government entity back to the Lawful Holder and the government entity must only use the SUD information to carry out the intended audit or evaluation.

Abbreviated Notice for Re-disclosure

Part 2 requires that every disclosure of SUD information made with the patient's consent be accompanied with a written notice prohibiting re-disclosure of the information. SAMHSA received comments that an abbreviated notice would be more effective given the character limits in free-text fields within electronic health record (EHR) systems. With the 2018 Final Rule, SAMHSA has modified the notice to 80 characters as follows:

"Federal law/42 CFR part 2 prohibits unauthorized disclosure of these records."

SAMHSA noted that entities are not required to use the abbreviated notice; they may still use the standard prohibition on re-disclosure notice. Also, recognizing concerns expressed by commenters that an abbreviated notice could be insufficient to convey understanding of Part 2 requirements, SAMHSA encourages Part 2 programs and Lawful Holders using the abbreviated notice to discuss the requirements with those to whom they disclose patient identifying information.

Part 2 – HIPAA Alignment

In response to the SNPRM, SAMHSA received several comments requesting Part 2 better align with HIPAA. In the 2018 Final Rule, SAMHSA asserts it is trying to align Part 2 with HIPAA to the extent feasible. However, SAMHSA noted that Part 2 was intended to provide more stringent protections on SUD information than those afforded protected health information (PHI) under HIPAA because of the greater risk of discrimination or adverse reaction in the disclosure of SUD information. SAMHSA noted in the preamble that it will continue to evaluate and review issues that may be feasible for alignment with HIPAA.

By March 20, 2018, HHS will hold a meeting with relevant stakeholders to discuss the effectiveness of the Part 2 regulations on patient care, health outcomes and patient privacy, but any greater alignment with HIPAA will likely need to come through legislation, as SAMHSA has implied that alignment is constrained by the text of the statutory law.

Recommended Steps for Part 2 Programs, Their Contractors and Subcontractors

In light of these additional changes, we recommend that Part 2 programs and Lawful Holders take the following steps to ensure compliance with the Part 2 rules:

  • Assess compliance with Part 2 requirements;
  • Revise policies and procedures to address all revised requirements;
  • Update patient consent forms to address the new disclosures permitted to subcontractors for payment and health care operations;
  • Evaluate current contracts and/or implement new contracts with contractors and subcontractors to ensure the subcontractors will be bound by Part 2 regulations when receiving SUD information.
  • Audit current re-disclosure notice processes and consider whether the abbreviated version of the prohibition on re-disclosures should be used in some instances, such as with EHRs or when e-billing insurance claims.